Miggo Logo

CVE-2018-16975: Elefant CMS PHP Code Execution Vulnerability

9.8

CVSS Score
3.0

Basic Information

EPSS Score
0.69297%
Published
5/13/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
elefant/cmscomposer< 2.0.72.0.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key points in csspreview.php: 1) file_get_contents() was used with unsanitized $_GET['css'] parameter, allowing attackers to specify .php files. 2) Direct insertion of $_POST['css'] content into HTML without sanitization. Both paths failed to use strip_tags() which was added in the patch to prevent PHP code execution. The combination of filename control and unsanitized content injection created an RCE vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in *l***nt *MS ***or* *.*.*. T**r* is * P*P *o** *x**ution Vuln*r**ility in `/**si*n*r/***/styl*s***t.p*p` *y usin* * `.p*p` *xt*nsion in t** N*w Styl*s***t N*m* *i*l* in *onjun*tion wit* `<?p*p` *ont*nt, ****us* o* insu**i*i*

Reasoning

T** vuln*r**ility st*ms *rom two k*y points in *sspr*vi*w.p*p: *) *il*_**t_*ont*nts() w*s us** wit* uns*nitiz** $_**T['*ss'] p*r*m*t*r, *llowin* *tt**k*rs to sp**i*y .p*p *il*s. *) *ir**t ins*rtion o* $_POST['*ss'] *ont*nt into *TML wit*out s*nitiz*t